netbsd-help: "Router" question...

Subject: "Router" question...
To: None <netbsd-help@netbsd.org>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: netbsd-help
Date: 10/29/1999 19:51:59
Hi, all.

I've got a question... I'm setting up a router box using NetBSD 1.4.1. It's
not going to be NAT-based. The network is a class C, and the box is looking
at it as two subnets.

Here's how the interfaces go. Ignore the 10.x numbering - I simply don't want
to publicise the network at the moment.

ep0 = 10.0.0.250 netmask 255.255.255.0   broadcast 10.0.0.251
ep1 = 10.0.0.253 netmask 255.255.255.252 broadcast 10.0.0.255

I can ping the box from the outside and from the inside. Also, I can ping the
outside and the inside *from* the box.

Here are the relevant routes, all static:

Destination      Gateway            Flags 
default          10.0.0.254         UG     
127.0.0.1        127.0.0.1          UH     
10.0.0.0         link#1             U      
10.0.0.252       link#2             U      
10.0.0.254       0:0:c:3e:6a:b9     UH     

The problem is that packets are not forwarded between the interfaces. I don't
have IPFORWARDING in the kernel, but I *do* have GATEWAY, and it seems to be
setting the forwarding value correctly:

/etc# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1

Is there something wrong with my assumptions about how this is supposed to
work? It seems like the box is ignoring packets sent to it that are destined
for other machines. I thought that such packets were supposed to be forwarded
from interface to interface, but I may well be missing something.

Thanks kindly in advance for clues!

PS: More information... If I have both firewall interfaces plugged into a
hub alongside my actual router, and set the default route on some inside
machine to point at the firewall, packets travel correctly half-way. That is,
I can traceroute to somewhere outside and see that the route passes through
the box I'm setting up. However, looking at a tcpdump while this is happening
shows me that return packets aren't going through the firewall box, as there's
no real reason for them to do so, excepting that I'd think that the interfaces
on the firewall would want to pass the packets back and forth. But, in any
event, packets move this way. When I take the firewall's external interface
and plug it directly into the router, however, traffic stops. I expect that
this is a result of packets simply not being pulled from one interface to the
other. (Remember, I *could* successfully ping the firewall box through the
router with the two directly connected. Besides, I'm using 10base2 between
the two to simplify things by sidestepping having to use a crossover cable.)

Again, thanks in advance.

-- 
   Mason Loring Bliss   mason@acheron.middleboro.ma.us             E w i g e
awake ? sleep : dream;  http://acheron.ne.mediaone.net  Meerschweinchenkraft